In a PHP project I'm developing I have a couple of requests that can be either POST or GET. Currently, I'm using the $_SERVER[REQUEST_METHOD] value to determine, which request array to use. I know that $_REQUEST values can be manipulated with cookies, is the $_SERVER superglobal vulnerable to attacks?
+5
A:
The $_SERVER superglobal is filled by PHP with data it gets from the web server.
So unless the attacker replaces the web server with his own, or manages an extremely lucky buffer overflow against the server, you are fine.
gnud
2008-12-07 01:44:12
A:
REQUEST_METHOD isn't limited to POST and GET though - you also need to handle HEAD (IIRC PHP will terminate the script at the first sign of output when it sees that header) and (on unlikely setups) you might get a few WebDAV ones.
Ant P.
2008-12-07 02:00:42
I believe the PHP engine runs the entire script and just throws away the output for HEAD. It keeps the execution environment simpler.
Tom
2008-12-07 02:51:12
It actually stops and send out the headers after it encounters the first bit of content. Some template systems break this functionality by keeping everything buffered until the very last call.
Jacco
2008-12-08 20:49:12
A:
Thanks for the tip about HEAD. I tested my code and it only accepts GET and POST, all other values are ignored by my code but handled correctly by Apache.
I don't use WebDAV in my app and it isn't supported on the current shared hosting server i use, but i wonder, what issues would that be?
A:
In what sense can $_REQUEST be "manipulated" with cookies? Cookies do override values coming from POST and GET, but all three values are directly controlled by the client making the request.
If you want GET and POST to have priority over cookies, you can set the variable request_order in your php.ini:
request_order = CGP
(which gives post' priority over get' over cookies). You can even leave out C altogether.
Lamah
2008-12-07 02:23:56